2021/04/15 : This Policy and Disclosure 2021 Edition shows what modifications Projet Zero have done for 2021 and why, regarding vulnerability disclosure policies and their consequences for users, vendors, fellow security researchers, and software security norms...Read more
2001/11/09 : One month after Culp article, future OIS (Organization for Internet Safety) was announced. Kevin Poulsen analysed what was happening.
"Microsoft and five major computer security companies rounded up the three-day Trusted Computing...Read more
2015/02/13 : "Project Zero has adhered to a 90-day disclosure deadline. Now we are applying this approach for the rest of Google as well. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a...Read more
2017/11/15 : Kieren McCarthy analyses the creation of the VEP (Vulnerability Equities Process).
"The United States government has published its new policy for publicly disclosing vulnerabilities and...Read more
2001/10/18 : Leyden explains Culp essay.
This artifact is part of the Culp debate Bundle.Read more
2005 : "Part One of this paper explains the current state of computer (in)security and sets forth three ways to restrict publications followed by the most common arguments for and against. It then illustrates the popularity of security publication restrictions with an ...Read more
2009/03/23 : Dennis Fisher highlights the end of free vulnerability disclosure.
"It appears that the free ride is over for software vendors."Read more
1999 : NMRC [Nomad Mobile Research Center] published a bug disclosure policy stating they would first verify the vulnerabilities they found, before notifying the vendor. The public will be informed one month after the vendor in case of a 'very high priority...Read more
2019/07/31 : Here is the Project Zero FAQ.
This artifact is part of the Google Project Zero Bundle.Read more